Thanks for your detail explanation, Sean. Actually, I'm more concern how ovs l2 agent use vlans for tenant isolation on the br-int.
I wanna discuss it deeper here Please correct me if I understanding something wrong, Is there any way to make ovs l2agent to support QinQ? for example, I believe QinQ also is a kind of tunnel encapsulation, like vxlan, gre. and I think we can implement it using Hierarchical Port Binding technique It would need two level bindings(of course, need two mechanism drivers). the top-level binding service vlan, lower-level binding customer vlan. The br-int is responsible for customer vlan, the br-tun is responsible for service vlan, Is it feasible? please feel free to leave you any idea. Thanks At 2018-08-07 19:32:44, "Sean Mooney" <w...@seanmooney.info> wrote: >TL;DR >it wont work with the ovs agent but "should" work with linux bridge. >see full message below for details. >regards >sean. > >the linux bridge agent supports the vlan_transparent option only when >createing networks with an l3 segmentation type e.g. vxlan,gre... > >ovs using the neutron l2 agnet does not supprot vlan_transparent >netwroks because of how that agent use vlans for tenant isolation on >the br-int. > >it is possible to use achive vlan transparancy with ovs usign an sdn >controller such as odl or ovn but that was not what you asked in your >question so i wont expand on that futher. > >if you deploy openstack with linux bridge networking and then create a >tenant network of type vxlan with vlan_transparancy set to true and >your tenants >generate QinQ traffic with an mtu reduced so that it will fix within >the vxlan tunnel unfragmented then yes it should be possibly however >you may need to disable port_security/security groups on the port as >im not sure if the ip tables firewall driver will correctly handel >this case. > >an alternive to disabling security groups would be to add an explicit >rule that matched on the etehrnet type and allowed QinQ traffic on >ingress and egress from the vm. > >as far as i am aware this is not tested in the gate so while it should >work the lack of documentation and test coverage means you will >likely be one of the first to test it if you >choose to do so and it may fail for many reasons. > > >On 7 August 2018 at 09:15, Frank Wang <wangpeihui...@126.com> wrote: >> Hello folks, >> >> I noted that the API already has the vlan_transparent attribute in the >> network, Do neutron-agents(linux-bridge, openvswitch) support QinQ? I >> didn't find any reference materials that could guide me on how to use or >> configure it. >> >> Thank for your time reading this, Any comments would be appreciated. >> >> >> >> >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >__________________________________________________________________________ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev